Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Notebook infected with System Tool and other malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Notebook infected with System Tool and other malware

Unread postby xixo_12 » April 4th, 2011, 7:02 am

Hi,
Let's proceed.
Looking good right now. :)

First,
CFScript
  • Close any open browsers.
  • Open notepad and copy/paste the text in the code box below into it:
    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?p=574028#p574028
    RenV::
    c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
    c:\program files\DivX\DivX Update\DivXUpdate .exe
    c:\program files\EeePC\ACPI\AsAcpiSvr .exe
    c:\program files\EeePC\ACPI\AsEPCMon .exe
    c:\program files\EeePC\ACPI\AsTray .exe
    c:\program files\Elantech\ETDCtrl .exe
    c:\program files\Elantech\ETDDect .exe
    c:\program files\iTunes\iTunesHelper .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\real\realplayer\Update\realsched .exe
    c:\program files\Windows Live\Messenger\msnmsgr     .exe
    c:\program files\WordWeb\wweb32 .exe
    c:\windows\ime\imjp8_1\IMJPMIG .exe
    Suspect::
    c:\windows\UDB.zip
    c:\windows\system32\drivers\3078356788.sys
    Folder::
    c:\documents and settings\Work\Application Data\Nebu
    DirLook::
    c:\documents and settings\Work\Application Data\Axkoyz
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. A guide to do this can be found here
    Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


What you need to post
Checklist.
  • Content of ComboFix.txt
  • Please describe your computer behaviour
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia
Advertisement
Register to Remove

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 4th, 2011, 9:15 pm

So I dragged and drop the text file CFScript.txt with the code you provided and I had to update Combofix.exe. After some time it produce a log. (log.txt)

Combofix log

ComboFix 11-04-04.01 - Work 04/04/2011 20:54:14.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1015.553 [GMT -4:00]
Running from: c:\documents and settings\Work\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Work\Desktop\CFScript.txt.txt
.
file zipped: c:\windows\UDB.zip
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Work\Application Data\Nebu
c:\documents and settings\Work\Local Settings\Application Data\{D4887D25-F5DF-4FDE-B99E-ACCEE339DC60}
c:\documents and settings\Work\Local Settings\Application Data\{D4887D25-F5DF-4FDE-B99E-ACCEE339DC60}\chrome.manifest
c:\documents and settings\Work\Local Settings\Application Data\{D4887D25-F5DF-4FDE-B99E-ACCEE339DC60}\chrome\content\_cfg.js
c:\documents and settings\Work\Local Settings\Application Data\{D4887D25-F5DF-4FDE-B99E-ACCEE339DC60}\chrome\content\overlay.xul
c:\documents and settings\Work\Local Settings\Application Data\{D4887D25-F5DF-4FDE-B99E-ACCEE339DC60}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-05 to 2011-04-05 )))))))))))))))))))))))))))))))
.
.
2011-04-01 00:15 . 2011-04-01 16:45 -------- d-----w- c:\documents and settings\Work\Application Data\Axkoyz
2011-03-31 20:20 . 2011-03-31 20:20 -------- d-----w- c:\documents and settings\Work\Application Data\Malwarebytes
2011-03-31 20:20 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-31 20:20 . 2011-03-31 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-31 20:20 . 2011-03-31 20:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-31 20:20 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-31 03:56 . 2011-01-07 18:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-03-31 03:56 . 2011-01-07 18:54 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-03-31 03:56 . 2011-01-07 18:54 767952 ----a-w- c:\windows\BDTSupport.dll
2011-03-31 03:56 . 2011-01-07 18:54 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-03-31 03:52 . 2011-04-03 17:44 -------- d-----w- c:\program files\PC Tools Security
2011-03-31 03:52 . 2011-04-05 01:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-03-31 03:51 . 2011-04-03 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-03-07 20:32 . 2011-03-07 20:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-03-07 20:32 . 2011-03-07 20:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-06 15:54 . 2011-03-31 03:56 2125 ----a-w- c:\windows\UDB.zip
2008-05-07 23:34 . 2008-09-11 13:03 15523560 ----a-w- c:\program files\Install AiGuruU1 Skype Phone.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Work\Application Data\Axkoyz ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-03_23.24.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-05 01:03 . 2011-04-05 01:03 16384 c:\windows\Temp\Perflib_Perfdata_788.dat
+ 2008-08-09 14:32 . 2011-04-05 00:48 73418 c:\windows\system32\perfc009.dat
- 2008-08-09 14:32 . 2011-04-03 23:26 73418 c:\windows\system32\perfc009.dat
+ 2008-08-09 14:32 . 2011-04-05 00:48 445884 c:\windows\system32\perfh009.dat
- 2008-08-09 14:32 . 2011-04-03 23:26 445884 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
vavyb.exe [2011-3-31 82944]
.
c:\documents and settings\TONY\Start Menu\Programs\Startup\
iRotate.lnk - c:\program files\iRotate\iRotate.exe [2008-6-1 58104]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
viox.exe [2011-3-31 82944]
.
c:\documents and settings\Work\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-9-11 311296]
.
[HKLM\~\startupfolder\C:^Documents and Settings^TONY^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\TONY\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^TONY^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\TONY\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GIZMO2]
2008-11-17 16:34 2229512 ----a-w- c:\program files\GIZMO2\GIZMO.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-02-13 03:08 21898024 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 09:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R2 CronService;Cron Service for Prey;c:\prey\platform\windows\cronsvc.exe [29/09/2010 5:21 PM 18432]
S0 3078356788;3078356788;c:\windows\system32\drivers\3078356788.sys --> c:\windows\system32\drivers\3078356788.sys [?]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [30/03/2011 11:56 PM 247760]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys --> c:\windows\system32\DRIVERS\ManyCam.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [16/10/2009 10:21 PM 17408]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\DRIVERS\RT2860.sys --> c:\windows\system32\DRIVERS\RT2860.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2938096170-2462371691-3002030570-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2938096170-2462371691-3002030570-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2938096170-2462371691-3002030570-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-01-28 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-01-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2938096170-2462371691-3002030570-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2010-11-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2938096170-2462371691-3002030570-1010.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-04-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2938096170-2462371691-3002030570-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {531BF312-1783-41CA-9C4F-B7F769AD89B3} = 202.96.128.86,202.96.134.133
FF - ProfilePath - c:\documents and settings\Work\Application Data\Mozilla\Firefox\Profiles\i5art0as.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox ... S:official
FF - prefs.js: keyword.URL - hxxp://www.searchqu.com/web?src=ffb&systemid=402&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr .exe
MSConfigStartUp-GrooveMonitor - c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-04 21:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2848)
c:\windows\system32\WININET.dll
c:\windows\Microsoft.NET\Framework\v1.1.4322\fusion.dll
c:\program files\eee storage\xpclient.dll
c:\windows\system32\ieframe.dll
c:\program files\eee storage\logicnp.eznamespaceextensions.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2011-04-04 21:09:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-05 01:09
ComboFix2.txt 2011-04-03 23:28
.
Pre-Run: 22,514,319,360 bytes free
Post-Run: 22,494,658,560 bytes free
.
- - End Of File - - E52C5C0031CC55C758849018DF56EF44
Upload was successful
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 4th, 2011, 9:22 pm

No windowdisk thing pops up when I go to add/remove programs.

I still get sent to www.search-result.com whenever i submit text in the address bar of firefox but not opera browser.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 4th, 2011, 9:31 pm

I also can't see the volume indicator when I adjust the volume on my notebook. Same goes with adjusting brightness.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby xixo_12 » April 5th, 2011, 8:31 am

Hi,
Let's uninstall and reinstall again Mozilla Firefox.
Please let me know if you still redirect.

Same goes to volume indicator/brightness adjustor.
Please download from their website, and just reinstall it again.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 5th, 2011, 1:00 pm

Ok so i uninstalled firefox and downloaded and installed it again. Now i don't have the www.search-result.com problem.


However after some time, I now have another malware... :?

Antimalware doctor pops up from time to time and there is a shortcut to it on my desktop.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby xixo_12 » April 5th, 2011, 3:53 pm

Hi,

Let me see another DDS scan. Please provide the logs.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 5th, 2011, 8:10 pm

Alright, I had to shut down the computer because I had to head to school. I opened up the computer later on to normal windows xp mode and the screen was just black. There was no blinking cursor it was just black. Hitting ctrl + alt + del, I was able to get back to the screen where you choose which OS you want to use, I tried safemode windows xp with networking and without networking and I still get a black screen. Maybe I should wait longer, but it does not take this long to show the regular windows xp loading screen.

I can however log into my other OS (Jolicloud) perfectly fine.

Edit: just tried waiting 8 minutes for window xp to load up on safe mode with networking and I still have a black screen.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 6th, 2011, 1:23 pm

I can't run DDS scan now since I can't get in to windows
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby xixo_12 » April 6th, 2011, 6:56 pm

I need to check on something with my colleague.

I will come back to you ;)
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 6th, 2011, 7:48 pm

Ok, hope to hear from you soon.

Not sure if I mentioned it but before getting the new malware, I was able get into windows normally. There was no black screen and no need to remove battery somehow trick the computer into loading the screen where you choose which OS / mode you want to start windows in.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby xixo_12 » April 7th, 2011, 7:00 am

Hi,
Let's proceed.
Give this a try. If it won't work, I will think another step. ;)

First,
Boot to Last Known Good Configuration .
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a keyboard error message. To resolve this, restart the computer and try again.
  • Ensure that the Last Known Good Configuration option is selected.
  • Press Enter. The computer then begins to start in Last Known Good Configuration.
  • Login on your usual account.

What you need to post
Checklist.
  • Please let me know the result.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 7th, 2011, 11:13 am

Ok, I saw your post from my notebook using the other OS (Jolicloud).

It's worth noting that jolicloud was working perfectly fine at this point.

I shut down the computer and opened it again to try Last Known Good Configuration option via F8.

Choose windows xp normal mode, and I still get a black screen with no blinking cursor.

After that I pressed control+alt+del to choose OS again, this time to log in to the other OS (Jolicloud).

Now, all that happens is that I'm stuck at the loading screen for Jolicloud but still better than a black screen when choosing Windows xp.

I also tried safe mode again (with and without networking) for both OS's. Still get black screen for Windows Xp and loading screen for jolicloud.

Hope to hear from you soon, thanks.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm

Re: Notebook infected with System Tool and other malware

Unread postby xixo_12 » April 8th, 2011, 11:35 pm

Hi,
Let's proceed.
I would like to check on something before we can proceed. I'm suspected your MBR was corrupted.
Let's try this. Do let me know if you have any question before perform the instruction.

You may required to use other than jolicloud OS to prepare the stuff.
I'm not familiar with jolicloud. Perhaps you can give a try

First,
Preparation.
  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to, and select, the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.
  • Finally, for this part at least, download the following file: dumpit and save it to the flashdrive you've just played with.

Next,
MBRDump
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows.
  • You are going to identify the folder that represents to your flash drive.
  • sda1, sda2 etc... will usually be your hard drive(s); sdb1 is likely to be your flash drive.
  • Double click on the flash drive folder, locate the dumpit file you downloaded previously and double click it.
  • A black Terminal window should open and the text therein should contain the legend: Press Enter to exit: - please do so.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and insert back in your working computer and locate the folder mbr.zip that it should now contain.
  • Please attach this folder in your next reply, you will need to put it in a compressed/zipped folder, or let me know if you had any problems.

What you need to post
Checklist.
  • Attachment of mbr.zip
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Notebook infected with System Tool and other malware

Unread postby trestinc » April 9th, 2011, 4:18 pm

So i did all the things required to prepare the USB. I then inserted the USB into the notebook and kept on pressing F12 and nothing happens, I'm still at the "Please select the operating system to start:" screen.
trestinc
Regular Member
 
Posts: 67
Joined: March 31st, 2011, 7:04 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 59 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware